Uncertainty around the resource server's handling of the access token
Issue #96
resolved
8.3 Uncertainty around the resource server's handling of the access token
There is no way that the client can find out whether the resource access was granted for the Bearer token or holder of key token.
The two differs in the risk profile and the client may want to differentiate them.
To support it, the resource shall not accept a Bearer token if it is supporting MTLS token with Bearer authorization header.
I think the wording needs to be made clearer. Are we saying that the resource server must not accept plain bearer tokens, and must only accept tokens bound to the TLS session (either via OAUTB or MTLS)?
Comments (5)
-
-
- changed status to resolved
Part 2: Fix
#96.→ <<cset 609e932c2060>>
-
- changed component to Part 2: Advanced
-
- changed component to FAPI 1 – Part 2: Advanced
-
- changed component to FAPI 1: Advanced
- Log in to comment
Yes.